By Nandita Bose and Joseph Menn
WASHINGTON/SAN FRANCISCO (Reuters) – A bipartisan group of U.S. senators on the powerful judiciary committee on Thursday introduced a bill aimed at curbing online distribution of child sexual abuse material that technology and civil liberties groups said was an attack on strong encryption critical to billions of people.
The bill by Judiciary Committee Chairman Lindsey Graham and Democratic member Richard Blumenthal would end the civil immunity of platforms like Facebook and Alphabet’s Google for user-posted content if they do not follow a new commission’s “best practices” for detecting abusive images. Security experts joined tech trade groups in condemning the bill, saying it was exploiting the scourge of child abuse to threaten encryption protecting ordinary Americans and businesses.
The Eliminating Abuse and Rampant Neglect of Interactive Technologies Act of 2019,” or “EARN IT Act,” has eight additional co-sponsors, including the judiciary committee’s top Democrat, Dianne Feinstein, fellow Democrats Dick Durbin and Sheldon Whitehouse, and Republican senators Josh Hawley, Kevin Cramer and Joni Ernst.
That lineup makes the bill likely to emerge from the committee and at least reach the floor of the Senate, unlike past attempts to hinder strong encryption. Whether it would pass there and in the House are open questions.
A Senate judiciary committee hearing has been scheduled for Wednesday.
The bill would overrule the immunity companies have under federal law known as Section 230, which shields online platforms from being treated as the publisher of information they distribute from others, protecting them from most liability over content.
Democratic Senator Ron Wyden, who co-authored Section 230, criticized the bill.
“This terrible legislation is a Trojan horse to give Attorney General Barr and Donald Trump the power to control online speech and require government access to every aspect of Americans’ lives,” he said.
The Earn It Act cuts the immunity for companies that do not follow practices laid out by a 19-member commission headed by the attorney general, an outspoken foe of strong encryption.
Other members will come from law enforcement, abuse survivors and victims’ services groups, as well as the tech industry.
“For the first time, you will have to earn blanket liability protection when it comes to protecting minors,” Graham said in a statement.
Blumenthal said technology companies need to do better.
“Tech companies have an extraordinary special safeguard against legal liability, but that unique protection comes with a responsibility,” he said.
Immunity from legal responsibility “is a privilege – they have to earn it – and that’s what our bipartisan bill requires,” Blumenthal added.
The move is the latest example of how regulators and lawmakers in Washington are reconsidering the need for incentives that once helped online companies grow but are increasingly viewed as impediments to curbing online crime, hate speech and extremism.
A careful international strategy has already resulted in the United Kingdom and Australia, close U.S. allies, passing laws requiring tech companies to provide technical aid to police investigations. Top Justice Department national security official John Demers said last week that could undercut the tech companies’ argument that U.S. encryption restrictions would make them less competitive with rivals based elsewhere.
Opponents of the bill said it was a foregone conclusion that the “best practices” would not include end-to-end encryption, which stops tech companies, police and hackers from reading messages unless they have access to the devices that sent or received them.
Facebook spokesman Thomas Richards said the company is concerned the bill would limit the ability of American companies to provide private and secure services.
“The EARN IT Act creates a false choice between protecting children and supporting strong encryption protections,” said Carl Szabo, vice president and general counsel at NetChoice – a group that counts Facebook, Google, Twitter among its members.
The American Civil Liberties Union said the bill threatens the safety of activists, domestic violence victims and millions of others who rely on strong encryption every day. Others said it raised constitutional issues on freedom from unreasonable searches.
Johns Hopkins security engineering professor Matthew Green said the requirement that two commission members have experience in cryptography or data security showed that it was aimed squarely at encryption.
“This bill is going to be highly damaging to data security,” Green wrote on Twitter. “Worse, by allowing law enforcement to politicize CSAM detection, this bill is going to permanently damage any chance of a productive relationship between Silicon Valley and the organizations that care about the issue.”
At a separate event on Thursday, the Department of Justice and major tech companies agreed on principles for combating child exploitation online. One of the principles said that technology platforms “should seek to design their products with child safety in mind,” which could be seen as opening a discussion about how to defeat encryption.
“I hope this is just the start of us working together to do more,” said British Home Office minister James Brokenshire, who attended the event. He noted, however, that “encryption remains the elephant in the room.”
(This story fixes typo in Dianne Feinstein’s name, paragraph 3)
(Reporting by Nandita Bose in Washington and Joseph Menn in San Francisco; Additional reporting by Raphael Satter in Washington; Editing by Dan Grebler)